Privacy protection for patients with substance use problems.

Many Americans with substance use problems will have opportunities to receive coordinated health care through the integration of primary care and specialty care for substance use disorders under the Patient Protection and Affordable Care Act of 2010. Sharing of patient health records among care providers is essential to realize the benefits of electronic health records. Health information exchange through meaningful use of electronic health records can improve health care safety, quality, and efficiency. Implementation of electronic health records and health information exchange presents great opportunities for health care integration, but also makes patient privacy potentially vulnerable. Privacy issues are paramount for patients with substance use problems. This paper discusses major differences between two federal privacy laws associated with health care for substance use disorders, identifies health care problems created by privacy policies, and describes potential solutions to these problems through technology innovation and policy improvement.

Introduction

Health information technology (HIT), briefly defined as electronic information systems used to support health care operations, is increasingly recognized as essential for the improvement of quality, safety, and efficiency in individual health care1,2 and public health.3 Wide implementation of HIT in US health care is long overdue. The most profound action with respect to HIT taken by the Obama administration and the US Congress was enactment of the Health Information Technology for Economic and Clinical Health Act.4,5 This legislation will provide a total of $19 billion in cash incentives to health care providers who implement and “meaningfully use” electronic health records (EHR) systems in the next few years.2

The required “meaningful use” of EHRs is expected to increase evidence-based medical practice, facilitate management of complicated chronic diseases, and reduce medical errors and control health care costs.6 Vista, the US Department of Veteran Affairs EHR system, for example, is one of the nation’s most comprehensive EHR systems. Diabetic patients in Vista have better control of timing of eye examinations, blood low-density lipoprotein cholesterol measurement, and hemoglobin A1c testing compared with patients in the private sector, where HIT is much less comprehensive.7 The cumulative net return of the investment in Vista was over $3 billion as of 2007.7

A key component of the “meaningful use” of EHRs is health information exchange (HIE) across traditional business boundaries in health care.3 Sharing information, such as sending a discharge summary to a patient’s subsequent care providers and transmitting and sharing laboratory results between a patient’s providers8 may improve health care quality and lead to cost reductions. HIE can save lives in an emergency when prompt diagnosis and treatment are crucial. HIE can also benefit public health through increased monitoring and analysis of aggregated health data.9

However, widespread implementation of EHRs and HIE raises concerns about potential breaches of the privacy, security, and confidentiality of individually identifiable health information (IIHI, ie, protected health information). The electronic transmission and sharing of IIHI among various entities over the Internet10 increases the numbers of people, chiefly providers and researchers, who see information considered to be private. Privacy issues are paramount for patients with substance use problems due to stigma, discrimination, potential prosecution, and loss of employment. The longstanding privacy concerns related to substance abuse health records are heightened by the widespread use of HIT, hindering the integration of primary health care and specialty care for substance abuse.11,12 These concerns, if not addressed and resolved properly, can deter patients from seeking treatment or providing accurate information to their care providers, and thus downgrade the value of EHRs for the care of patients with substance use problems. In response to these issues, this paper reviews and contrasts the two major federal laws impacting privacy protection for substance abusers seeking health care. Emphasis is placed on issues associated with the laws that must be addressed to provide adequate privacy protection and promote the integration of specialty substance abuse treatment with primary care.

Federal laws and regulations protecting patient privacy

The Health Insurance Portability and Accountability Act (HIPAA) of 199613 was the first federal law to address privacy and security standards broadly and provide federal protection for IIHI. HIPAA has been amended over the years to accommodate the advancement of HIT. Generally, it establishes national standards to protect individuals’ medical records and other personal health information from unwanted disclosure or use. A complete explanation of the HIPAA can be found under the Code of Federal Regulations (CFR) title 45, Parts 160, 162, and 164 (http://www.gpoaccess.gov/cfr/index.html). The HIPAA Privacy Rule provides federal protections for IIHI held by covered entities and gives patients the right to examine their health care records and to request corrections if they believe the records are inaccurate or misleading. The rules are balanced so that they provide protection of IIHI while permitting minimal necessary disclosure of health information without a patient’s authorization such as for treatment, payment, health care operations [§164.502 (a) (b)] or exceptional requirements allowed by law (§164.512, http://www.access.gpo.gov/nara/cfr/waisidx_07/45cfr164_07.html). Of note, the standards in the HIPAA Privacy Rule are minimum requirements for all health care providers, but may be insufficient to protect privacy and confidentiality of IIHI related to substance use conditions. Patients with substance use problems are generally cautious about substance use-related information in their health records due to the potential illegality of their behaviors. A breach of privacy can have a significantly negative impact on their health, employment, health insurance, social relationships, and even legal rights. The US Congress has long recognized that health information gathered from patients with substance use problems is especially sensitive. The Confidentiality of Alcohol and Drug Abuse Patient Records (42 CFR Part 2) regulations were issued in 197514 and revised in 1987.15 This has been a cornerstone in protecting the IIHI confidentiality of a drug abuse patient. 42 CFR Part 2 specifies that substance abuse treatment programs are not permitted to disclose any patient information that would directly or indirectly identify a patient having previous or current alcohol or drug abuse problems, unless the patient’s written consent is obtained. There are very limited exceptions to the requirement of written consent specified in 42 CFR Part 2. These include medical emergencies (Subpart D §2.51), qualified scientific research, audit or program evaluation (Subpart D §2.52–2.53), court ordered criminal investigation against patients or personnel of the program (Subpart E §2.61–2.67), and suspected child abuse or neglect [§2.12 (c) (6)].

Consent may not be required between administrative contact of two 42 CFR Part 2 programs, within the same program, or for organizations that have direct administrative control of the program [§2.12 (c) (3) (4)].16 However, the 42 CFR Part 2 regulations are not widely known by mainstream medical doctors because the regulations only apply to substance abuse treatment programs.

Violation of either regulation carries civil penalties. Enforcement of HIPAA was strengthened in 2009 to accommodate widespread implementation of HIT, HIE, and EHR pursuant to the Health Information Technology for Economic and Clinical Health Act, and fines can be up to $50,000 for each violation.17

The HIPAA has more flexible disclosure standards, but imposes stiffer penalties for violators, whereas 42 CFR Part 2 has more stringent disclosure standards, but imposes less severe penalties. Major differences in these two laws and regulations discussed above are summarized in Table 1. 42 CFR Part 2 along with the HIPAA has provided a double layer of privacy protection for patients who seek care in substance abuse treatment programs. In addition, many states have their own privacy laws related to IIHI which cannot be overridden by federal laws.18,19 Therefore, the end result is that the most stringent law must be followed regarding disclosure of IIHI associated with substance use.

Table 1

Major differences between HIPAA and 42 CFR Part 2

HIPAA (45 CFR Parts 160, 162 and 164)	Confidentiality of alcohol and drug abuse patient records (42 CFR Part 2)
Applies to all health care providers	Applies only to federally funded facilities (directly or indirectly) specializing in substance abuse treatment. Private providers are not regulated
Permits minimal necessary disclosure of protected health information without patient authorization [§164.502 (a) (b), §164.512]	Requires written consent and authorization from patients for any IIHI disclosure to third parties (Subpart C §2.31) with few exceptions (Subpart C §2.33)
Civil penalty for each case of violation of HIPAA is at least $100 and up to $50,00017	Civil penalty for first case of violation is $500, increased to $5000 for each additional case of violation (§2.4)
Patients have the right to access and examine their health care records and to request amendment [164.526 (a)] or accounting of disclosure of their protected health information [164.528 (a) (3)].	Right of patients to access their health records is not prohibited [§2.23 (a)], but request of amendment or accounting of disclosure is not specified in the regulation.

Abbreviations: HIPAA, Health Insurance Portability and Accountability Act of 1996; IIHI, individually identifiable health information; CFR, Code of Federal Regulations.

Problems associated with separated health care for substance abuse

The limited application of 42 CFR Part 2 to specialty substance abuse treatment facilities and the discrepancies between HIPAA and Part 2 are becoming serious issues affecting the integration and coordination of health care for patients with substance use conditions. The implementation of 42 CFR Part 2 has increased trust between patients with substance use problems and their care providers in substance abuse treatment programs. However, it has also contributed to a separation of substance abuse specialty care from mainstream medical care. Separation of health care delivery systems creates two problems, ie, a lack of preventive and treatment measures in the primary care setting for substance use problems and a lack of effective communication and coordination among different types of health care delivery systems.

Patients who have substance use problems are not routinely screened or treated in the general medical care setting although the literature continues to show the cost-effectiveness of screening, early diagnosis, and intervention for substance use problems.20 For example, there is abundant evidence supporting screening and brief intervention for alcohol use problems among adults in primary care settings.21–32 Evidence is also emerging for the efficacy of screening and brief intervention for illicit drug use in primary care settings.33–37 Yet, screening and brief intervention are not routinely employed in primary care, let alone other general medical settings.23,24,38 The potential benefits of screening and brief intervention have pushed forward federal efforts to disseminate screening and brief intervention through federal demonstration pilot projects across the country.39 As we move closer to the integration of substance abuse specialty care and primary care, health care practitioners struggle to understand which regulations are applicable. The discrepancies and differences between the HIPAA and 42 CFR Part 2 cause considerable confusion for practitioners on how to provide services for patients with substance use problems appropriately without risking violation of privacy laws.

There would be very limited effective communication between these two types of providers if we were to integrate care without modifying either law. Failure in communication between primary care and substance abuse specialty care providers can cause critical medical errors and put patient safety at risk. For instance, if a substance abuse specialty care provider withholds a patient’s substance use records from the general medical doctor, the patient could die from overdose of opioids prescribed for pain management,40 or fatal drug-drug interactions.41,42 These issues have increasingly become a major public health threat in the US and in the world.42–44 The success of US health care reform with respect to treatment for substance abuse will largely depend on balancing the need for efficient and effective health care and the need for protection of patient privacy. Whether and how the HIPAA and 42 CFR Part 2 can be integrated and synchronized is one of the keys to the integration of primary and substance abuse specialty care. The innovation of health information technology can help accelerate the integration, but must be governed by meaningful and practical policies. Next, we will discuss challenges and opportunities of both technologies and policies in confronting privacy issues.

Challenges and opportunities of data segmentation

Health data segmentation is a practice rooted in various federal and state laws addressing the stigma against alcohol and drug abusers. It is “the process of sequestering from capturing, accessing or viewing certain data elements that are perceived by a legal entity, institution, organization, or individual as being undesirable to share”.45 IIHI, such as genetic information, psychotherapy notes, and substance abuse treatment records, can be sequestered and prevented from disclosure through data segmentation technology. Data segmentation in the context of national EHR and HIE systems must be more complicated than that in the “paper” health care systems or within a closed local computerized system, systems on which the concept was formulated. To allow workable segmentation, substance use-related information must be entered using specific structures and codes. Free text is not accepted for programming segmentation.45 This requirement can be challenging for practitioners accustomed to writing text notes to record behavioral health medical histories. Data segmentation must be ruled by the degree of consent granted by the patient. A patient’s Consent Directive is their own privacy policy about what IIHI is to be disclosed, to whom, under what circumstances, and in which period of time. A Consent Directive could become considerably sophisticated with the ability to protect patient autonomy and privacy through masking information undesired for disclosure. A Consent Directive can include instructions for overriding the “masking”, in which individuals (eg, patient’s preauthorized physicians) who have permission to access the “shared secrets” can override the masking of IIHI under a specific condition. For patients with substance use problems, a Consent Directive may be especially effective against undue disclosure of medical information, enhancing consumer satisfaction with and trust in modern EHR systems. However, an unintended consequence of granular or inconsistent consent policies is that access to a patient’s critical health record could become so complicated and costly that health care providers might be deterred from retrieving and using the health records for appropriate health care.

A recent Consent Directive data standardization milestone in May 2010 was the release of the HL7 Implementation Guide for Clinical Data Architecture Release 2.0 based on the mapping of HL7 Version 3 Domain Analysis Model: Medical Records and Composite Privacy Consent Directive Domain Analysis Model Data Standard for Trial Use Release 2.46 The domain analysis model will enable the automation of data segmentation in serving Consent Directive and privacy protection. The domain analysis model includes the following core electronic consent options:47 no consent; opt out (default option is included for HIE, but patients can opt out completely); opt out with exceptions (default option is included for HIE, but patients can completely or partially opt out); opt in (default option is not included for HIE, with option for all opt out); and opt in with restrictions (default option is not included for HIE, but with options for partial selected data for HIE).46 At this point, data segmentation automation technology is still at its infancy. In August 2010, the Policy and Security Tiger Team workgroup recommended to the Office of National Coordinator for Health Information Technology, an organization within the Department of Health and Human Services to oversee the HIT development and implementation, that “it is critical to educate patients to understand to which level their preferences can be practically honored before a technical solution for data segmentation is applied”.48 Although data segmentation and automation are technically complex, policy challenges involving human factors are even more arduous.

Challenges and opportunities of privacy policies in health care

Privacy policy-makers need to first define what is “ sensitive” information in the EHR. In general, information that potentially harms a patient either physically, socially, psychologically, or economically in the event of disclosure is considered “sensitive” health information. The National Committee on Vital and Health Statistics has recently refined their recommended categories of sensitive information to include genetic information, psychotherapy notes, substance abuse treatment records, sexually transmitted diseases, mental health, children/adolescent sexuality, and reproductive health information.49 However, the definition of “sensitive information” can be subjective because different people have different perspectives in this regard. Hence, an agreement upon “sensitive information” among various stakeholders, especially among patients, health care providers, and payers will be essential to policy-making. On the other hand, one must recognize that data segmentation is not the purpose, but rather a procedure to protect patient privacy. Segmented data should be made accessible for relevant health care purposes. Only better communication would lead to better health care.

It is essential to determine who has the authority to control information disclosure and what limits can be placed on that authority. Patients with sensitive substance use information are likely to desire to have full or partial control of their IIHI. In an Agency for Healthcare Research and Quality 2009 consumer engagement focus group study, almost all consumers reported that they should be given some control over how their health data should be shared.50 The report implies the importance of engaging health care consumers in the data segmentation process. In contrast with patients, health care providers may feel they must have sufficient accessibility to patients’ critical health data to ensure the quality of care and the accuracy of the health records.

While the EHR system provides an excellent platform for data sharing, the benefits of EHRs cannot be fully realized without sharing critical health information, such as a patient’s prescription records of controlled substance use, and history of alcohol and illicit drug use. American public health has been seriously challenged by a five-fold increase in opioid overdose-caused deaths coinciding with a ten-fold increase in prescribed opioids over the last two decades.40,51 To confront both this public health crisis and increased privacy concerns in the HIT era, policy-makers must determine whether, when, and how to modify and reconcile federal and state regulations and policies. Americans may then harvest the most returns from the massive federal investment in the EHR system.

Further, inhibiting the disclosure of critical IIHI can be as harmful as undesired disclosure of IIHI, and raises ethical questions. Of note, neither the HIPAA nor 42 CFR (Part 2) has explicitly stated a health care provider’s responsibility or obligation to disclose any IIHI, including potentially harmful health information. For instance, should a health care provider disclose a school bus driver patient’s alcoholism to a third party even if the patient does not authorize it? In such a case, abiding by privacy laws may contradict a physician’s “do no harm” Hippocratic Oath. When privacy laws, which are created for ethical reasons, force a physician to choose against ethical principles, should we consider revision of the policy? If sacrificing one person’s privacy can protect the lives of hundreds of others, is it fair to choose to protect more and innocent lives? The amendment of 42 CFR Part 2 to permit disclosure of substance abuse patients’ IIHI without authorization against suspected child abuse or neglect is a good example of federal action to protect child welfare [42 CFR Part 2 §2.63 (a) (1), §2.12 (c) (6)].

Indeed, the tension between promoting safe, effective health care and protecting patient privacy has increased recently. An amendment to 42 CFR Part 2 was proposed by a committee of attorneys with the aim of easing health care providers’ access to patients’ IIHI for necessary health care needs.52 One of the main proposed modifications for 42 CFR Part 2 was to remove the requirement of written consent for any disclosure associated with IIHI, and instead permit “minimum necessary disclosure” without written consent, which is a privacy standard covered under HIPAA. The proposal triggered strong opposition from patient privacy rights groups that have been strongly recommending the consent requirement in 42 CFR Part 2 be extended to all medical practice and incorporated into the “meaningful use” of EHR stage 2 criteria.53,54 Indeed, it would not make sense to modify 42 CFR Part 2 against patients’ wishes because privacy protection is a priority for many patients with substance use problems. Lessons learned from the Massachusetts eHealth Collaborative are that a successful HIE model “can only be as good as patients’ willingness to share their medical data”.55 The Department of Health and Human Services and Substance Abuse and Mental Health Services Administration have been exploring technical solutions within the legal framework of HIPAA and 42 CFR Part 2 laws and regulations.16,56

There remains tension between patient privacy concerns and public health good until adequate technical and regulatory solutions are in place. It may take years to solve these problems given the complexity of US health care systems. Perhaps important lessons can be learned from other health care systems, such as those implemented by the Europeans and Canadians, who have experience in optimizing their national EHR and HIE projects.57 As the US is moving forward to develop the most appropriate HIE models and privacy policies, “building trust” and establishing solid accountability mechanisms are essential to promote the implementation of EHRs and HIE.12,58,59 Trust built upon separation of health care must be replaced by trust within a competent, trustful, and integrated health care system.

Conclusion

The promise of new health care reform in reducing disparities for underserved patients with substance use problems will not be realized if critical health records cannot be shared as needed between health care providers. However, inconsistencies in the existing privacy laws and their implementing regulations must be resolved through advanced information technologies and improvement of health information regulations to ensure meaningful health care integration. Appropriate models for HIE and EHRs are under development to accommodate the established federal and states laws governing the sharing of health information of patients with substance use problems. Federal and state governments must support innovations in health information technology and take action to amend privacy policies. A meaningful and practical privacy policy should provide good balance between the need for protecting patient privacy and the need for health care providers to access critical patient health information. The integration of primary care and substance abuse specialty care will not be feasible, meaningful, or sustainable until this balance is reached.